lp:~henn/apparmor/fix-for-1665535

Branch merges

Propose for merging

No branches dependent on this one.

Merged into lp:apparmor/2.12 at revision 3671

Christian Boltz: Approve on 2017-07-02

intrigeri: Approve on 2017-07-01

Jamie Strandboge: Approve on 2017-02-21

Steve Beattie: Pending requested 2017-03-10

Diff: 10 lines (+3/-0)

1 file modified

profiles/apparmor.d/abstractions/ubuntu-browsers.d/multimedia (+3/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Bug #1665535: WebRTC webcam support broken in firefox due to apparmor

Undecided

Fix Released

Link a bug report

Related blueprints

3631. By Jay Hennessey on 2017-02-17

* Fix LP: #1665535 - Enable camera access in browser apparmor profile for WebRTC

3630. By Steve Beattie on 2017-02-02

regression tests: fix environ fail case

In the environ regression test, when the exec() of the child process
fails, we don't report FAIL to stdout, so the regression tests consider
it an error rather than a failure and abort, short-circuiting the
test script.

This commit fixes this by emitting the FAIL message when the result
from the wait() syscall indicates the child process did not succeed.

Signed-off-by: Steve Beattie <email address hidden>
Acked-by: Seth Arnold <email address hidden>

3629. By Christian Boltz on 2017-01-30

Rename global variable "pid" to "log_pid"

aa.py has a global variable "pid", but it also has several functions
that use "pid" as a local variable name. do_logprof_pass() even uses
both - first, it passes the global variable to ReadLog, and then it
creates a local variable in the "for pid in ..." loop.

This patch renames the global variable to log_pid to get rid of the
confusion.

Note that the global variable is only handed over to ReadLog, and the
only case where its previous content _might_ be used is aa-genprof which
does multipe do_logprof_pass() runs.

Maybe we could even get rid of this variable in aa.py and make it local
to the ReadLog class, but I'm not sure if that would affect aa-genprof
in interesting[tm] ways.

Acked-by: John Johansen <email address hidden>

3628. By Christian Boltz on 2017-01-30

Dovecot profile: change Px to mrPx for /usr/lib/dovecot/*

Some of the /usr/lib/dovecot/* rules already have mrPx permissions,
while others don't.

With a more recent kernel, I noticed that at least auth, config, dict,
lmtp, pop3 and ssl-params need mrPx instead of just Px (confirmed by the
audit.log and actual breakage caused by the missing mr permissions).

The mr additions for anvil, log and managesieve are just a wild guess,
but I would be very surprised if they don't need mr.

Acked-by: Seth Arnold <email address hidden> for trunk, 2.10 and 2.9.

3627. By Christian Boltz on 2017-01-26

Dovecot profile update

Add several permissions to the dovecot profiles that are needed on ubuntu
(surprisingly not on openSUSE, maybe it depends on the dovecot config?)

As discussed some weeks ago, the added permissions use only /run/
instead of /{var/,}run/ (which is hopefully superfluous nowadays).

References: https://bugs.launchpad.net/apparmor/+bug/1512131

Acked-by: Seth Arnold <email address hidden> for trunk, 2.10 and 2.9.

3626. By Kees Cook on 2017-01-21

glibc uses /proc/*/auxv and /proc/*/status files, too

Acked-by: Seth Arnold <email address hidden>

3625. By Kees Cook on 2017-01-21

Apache2 profile updates for proper signal handling, optional saslauth,
and OCSP stapling

Acked-by: Seth Arnold <email address hidden>

3624. By Christian Boltz on 2017-01-20

Drop unused global variables in aa.py

Grepping through the code shows that running_under_genprof,
unimplemented_warning, ALL, t, seen and skip are unused, so drop them.

Acked-by: Steve Beattie <email address hidden>

Also drop a '# t = hasher()" comment, as noticed by Steve.

3623. By Kees Cook on 2017-01-19

pass LDFLAGS fully into build

Acked-by: John Johansen <email address hidden>
Signed-off-by: Tyler Hicks <email address hidden>

3622. By Christian Boltz on 2017-01-19

[7/7] Drop most of aa-mergeprof ask_the_questions()

Replace most of aa-mergeprof ask_merge_questions() with a call to
aa.py ask_the_questions() (which is, besides some small exceptions that
are not relevant for aa-mergeprof, in sync with the dropped code).

The remaining part gets renamed to ask_merge_questions() to avoid
confusion with the function name in aa.py. Also drop the (now
superfluous) parameter.

aa.py ask_the_questions() needs to allow 'merge' as aamode.
While on it, replace the fatal_error() call for unknown aamode with
raising an AppArmorBug.

Acked-by: Seth Arnold <email address hidden>